| Vulnerability Name: | CVE-2017-12629 (CCN-133524) | ||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2017-09-22 | ||||||||||||||||||||||||||||||||||||||||
| Published: | 2017-09-22 | ||||||||||||||||||||||||||||||||||||||||
| Updated: | 2022-04-19 | ||||||||||||||||||||||||||||||||||||||||
| Summary: | Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. | ||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-611 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2017-12629 Source: CCN Type: Apache Web site Apache Solr and Apache Lucene Source: MLIST Type: Mailing List, Vendor Advisory [www-announce] 20171019 [SECURITY] CVE-2017-12629: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE) Source: CCN Type: oss-sec Mailing List, Fri, 13 Oct 2017 17:41:18 +0200 CVE-2017-12629 Solr: Code execution via entity expansion Source: MISC Type: Mailing List, Third Party Advisory http://openwall.com/lists/oss-security/2017/10/13/1 Source: CCN Type: IBM Security Bulletin 2010330 (InfoSphere Information Server) A vulnerability in Apache Solr affects IBM InfoSphere Information Server Source: CCN Type: IBM Security Bulletin 2015247 (Security QRadar SIEM) Open Source Apache Solr as used in IBM QRadar Incident Forensics is vulnerable to arbitrary code execution. (CVE-2017-12629) Source: BID Type: Third Party Advisory, VDB Entry 101261 Source: CCN Type: BID-101261 Apache Solr/Lucene CVE-2017-12629 Information Disclosure and Remote Code Execution Vulnerabilities Source: REDHAT Type: Third Party Advisory RHSA-2017:3123 Source: REDHAT Type: Third Party Advisory RHSA-2017:3124 Source: REDHAT Type: Third Party Advisory RHSA-2017:3244 Source: REDHAT Type: Third Party Advisory RHSA-2017:3451 Source: REDHAT Type: Third Party Advisory RHSA-2017:3452 Source: REDHAT Type: Third Party Advisory RHSA-2018:0002 Source: REDHAT Type: Third Party Advisory RHSA-2018:0003 Source: REDHAT Type: Third Party Advisory RHSA-2018:0004 Source: REDHAT Type: Third Party Advisory RHSA-2018:0005 Source: XF Type: UNKNOWN apache-cve201712629-code-exec(133524) Source: MLIST Type: Mailing List, Vendor Advisory [solr-users] 20210618 Re: CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability Source: MLIST Type: Mailing List, Vendor Advisory [jackrabbit-oak-issues] 20210817 [jira] [Created] (OAK-9537) Security vulnerability in org/apache/lucene/queryparser/xml/CoreParser.java Source: MLIST Type: Mailing List, Vendor Advisory [solr-users] 20210728 Re: CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability Source: MLIST Type: Mailing List, Vendor Advisory [solr-users] 20210618 CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability Source: MLIST Type: Mailing List, Third Party Advisory [debian-lts-announce] 20180121 [SECURITY] [DLA 1254-1] lucene-solr security update Source: CCN Type: Packet Storm Security [10-18-2017] Apache Solr 7.0.1 XXE Injection / Code Execution Source: MLIST Type: Exploit, Mailing List, Vendor Advisory [lucene-dev] 20171012 Re: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE) Source: MISC Type: Third Party Advisory https://twitter.com/ApacheSolr/status/918731485611401216 Source: MISC Type: Third Party Advisory https://twitter.com/joshbressers/status/919258716297420802 Source: MISC Type: Third Party Advisory https://twitter.com/searchtools_avi/status/918904813613543424 Source: UBUNTU Type: Third Party Advisory USN-4259-1 Source: DEBIAN Type: Third Party Advisory DSA-4124 Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [10-17-2017] Source: EXPLOIT-DB Type: Exploit, Third Party Advisory, VDB Entry 43009 Source: CCN Type: IBM Security Bulletin 6953705 (Business Automation Manager Open Editions) Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration 4: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||